Client Network List (CNL)
The VPN SDK allows you to configure client network lists (CNLs) to control when the VPN enables or disables based on the device's current network connection. This article explains how to set up client networks and utilize the CNL feature in your VPN app.
What are Client Network Lists?
A client network list defines rules for enabling or disabling the VPN connection depending on the type of network the device is currently connected to. The supported network types are:
Wi-Fi
Wireless WAN (WWAN)
Local Area Network (LAN)
For each network type, you can specify an action to either enable or disable the VPN when the device connects to a network matching that type.
Setting Up Client Networks
To configure client networks:
Sign in at pango-cloud.com.
Navigate to Settings -> VPN -> Client Networks, click on the Add button.
Edit the settings for the client network rule:
Select the network Type (Wi-Fi, WWAN, or LAN)
Choose the Action (enable or disable the VPN)
Practical Use Cases and Configuration Examples
Common CNL Configuration Scenarios
Here are some practical examples of how to configure CNL rules for common use cases:
1. Enable VPN on All Open/Public WiFi Networks
To automatically enable VPN when connecting to any open (unencrypted) WiFi network:
Type: WiFi
SSID: (leave empty)
BSSID: (leave empty)
Authorized: False
Action: Enable
This configuration will activate the VPN whenever your device connects to an unsecured WiFi network, providing protection on public hotspots.
2. Disable VPN on Cellular/Mobile Data
To conserve mobile data and battery by disabling VPN when on cellular:
Type: WWAN
Action: Disable
This is useful when you trust your mobile carrier's network and want to avoid the additional data overhead of VPN tunneling.
3. Disable VPN on Trusted Home/Office Networks
To disable VPN on specific trusted networks:
Type: WiFi
SSID: "MyHomeNetwork"
BSSID: "AA:BB:CC:DD:EE:FF" (optional, for extra security)
Action: Disable
Adding the BSSID ensures the rule only applies to your specific router, preventing spoofed SSIDs from bypassing VPN protection.
4. Always Enable VPN on Specific Public Networks
For known public networks where you always want protection:
Type: WiFi
SSID: "Starbucks WiFi"
Action: Enable
5. Corporate Network Configuration
For enterprise deployments where VPN should be disabled on corporate LAN:
Type: LAN
Action: Disable
Best Practices
Security First: When in doubt, default to enabling VPN. It's better to have unnecessary protection than to expose sensitive data.
Use BSSID for Critical Networks: For networks where you absolutely want to disable VPN (like home networks), include the BSSID to prevent SSID spoofing attacks.
Test Your Rules: Always test CNL configurations in different network scenarios to ensure they behave as expected.
Consider Battery and Data: Balance security needs with practical considerations like battery life and data usage, especially for mobile users.
Configuration Priority
When multiple rules might apply, the SDK evaluates them in the following order:
Most specific rules (with both SSID and BSSID) take precedence
Rules with only SSID come next
Generic rules (no SSID/BSSID) are applied last
If no rules match, the VPN state remains unchanged
Local Client Network Lists
Partner applications with built-in our VPN SDK can configure CNL behavior directly on each device. This provides more granular control over VPN behavior based on local network conditions.
Local CNL Characteristics
The partner app can instruct the SDK on how to behave with network settings
Local CNL rules are configured by the user through
updateCNLandclearCNLmethodsThese rules are applied independently of remote CNL configuration and persist even if remote CNL fetching fails
Behavior is set on each device separately and stored locally
Behavior settings are erased upon app reinstall
Platform Support and Limitations
Apple Platforms
Both iOS and macOS support server-side and local CNL configuration. See Current limitations and behaviors section below for platform-specific details.
Protocol Support
Supported: Hydra and WireGuard protocols
Not Supported: IPSec protocol
Enabling Client Network Lists
To utilize client network lists in your app, first enable the feature by setting isClientListEnabled to true in your ModulesConfiguration:
let modulesConfiguration = ModulesConfiguration(
isClientListEnabled: true,
// other configuration...
)Retrieving CNL Rules
The SDK will automatically fetch the configured CNL rules before enabling the VPN. You can access the retrieved rules through the `clientNetworkList` property on the `HydraSDK` instance:
let clientNetworkList = hydraSDK.clientNetworkListThe clientNetworkList will contain an array of ClientNetworkRule objects representing the matched rules for the current network.
How CNL Settings Work
CNL settings control VPN behavior based on network conditions. Here's a high-level overview:
When VPN is connected: CNL rules can dynamically enable or disable the tunnel based on the current network
When VPN is disconnected: CNL rules do not automatically start the VPN when switching networks (automatic startup requires application-level implementation)
Detailed Behavior
CNL settings are applied on the tunnel side when the VPN is already in a connected state with on-demand enabled:
VPN Connected with Disabled Rule
If the VPN is connected and the current network matches a CNL rule with action: .disable, the tunnel will enter bypass mode. Network traffic will go directly through the device's network connection without passing through the VPN tunnel.
VPN Connected with Enabled Rule
If the VPN is connected and the current network matches a CNL rule with action: .enable, the tunnel will attempt to connect to VPN servers.
Automatic VPN Startup
Important: When the VPN is not connected and the user changes to a network that matches an enabled rule, the VPN will not be started automatically. With the current implementation, automatic VPN startup can be achieved at the application level using workarounds such as HotspotHelper.
Code Samples
Configure using HydraSDK:
import VPNApplicationSDK
// ...
let groupData = VPNGroupData(groupID: "group.com.yourcompany.vpnsdk-demo", usesSystemExtension: false)
let hydraConfiguration = HydraConfiguration(
carrierID: "YOUR_CARRIER_ID",
extensionBundleID: "com.yourcompany.vpnsdk-demo.neprovider",
groupData: groupData,
fireshieldConfig: FireshieldConfig(mode: .disabled, groupData: groupData),
modulesConfiguration: ModulesConfiguration(isClientListEnabled: true)
)
let hydraSDK = HydraSDK(configuration: hydraConfiguration)
hydraSDK.start(location: VirtualLocation.optimal(), proxy: nil, completion: { error, credential in
if let error = error {
print("Failed \(error)")
} else {
print("Success")
let clientNetworkList = hydraSDK.clientNetworkList
// Now we have access to the clientNetworkList, which contains data about available networks
}
})Current limitations and behaviors
iOS Platform Limitations
Mobile Data Connection Behavior
When connecting to VPN while using mobile data on iOS devices, the following behavior occurs regardless of the CNL remote configuration action setting:
VPN Status: Displays as "Connected"
Mode: Full Bypass mode is active
Traffic Routing: All traffic is bypassed and routed outside the VPN tunnel
Configuration Impact: This behavior remains consistent whether the CNL action is set to "Disabled" or "Enabled"
macOS Platform Support
LAN Connection Support
CNL functionality is fully supported for LAN connections on macOS:
Status: Operational
Known Issues: The existing WiFi network SSID/BSID determination issue does not affect LAN connections
Compatibility: Full CNL feature set available for LAN interfaces
Technical Note
The WiFi-related issues on macOS are specifically related to network identification (SSID/BSID determination) and do not impact the core CNL functionality when used with LAN connections.
Last updated
Was this helpful?